NFT platform Gondi moves to make users whole after $230,000 contract exploit

NFT platform Gondi has contained a recent exploit that enabled an attacker to steal dozens of NFTs from several victims, with losses estimated at about $230,000, according to Blockaid. The team is now focused on making "affected users whole," according to an update on Monday. 

According to an earlier X post from Gondi, the attack was connected to a recently deployed version of its Sell & Repay contract, a part of Gondi’s NFT lending protocol that allows borrowers to sell escrowed NFTs and automatically repay loans in a bundled transaction.

A new version of the contract was deployed on Feb. 20, apparently introducing faulty logic in its "Purchase Bundler" function that did not properly check whether a contract caller was the legitimate owner or borrower of an NFT. 

According to Etherscan, some 78 NFTs were drained across about 40 transactions to an address now labeled as GONDI Exploiter. This includes a transfer of 44 Art Blocks tokens, 10 Doodles, 2 Beeple’s “Spring Collection,” and other valuable NFT brands.

NFT collector tinoch estimated that one potential victim alone lost about 55 ETH, worth about $108,000 at the time of observation. 

“The Sell & Repay feature remains disabled while we deploy a fix. All other functionality is fully operational,” Gondi said. The team noted the exploit was limited and that NFTs in active loans were “not affected, at any point.” Likewise, the platform’s other buying, selling, listing, bidding, and trading features were unaffected. 

Gondi said all platform activity is safe to resume, including repaying, renegotiating and refinancing loans, starting new loans, and listing NFTs for sale, buying, accepting bids and trading.

The update reversed an earlier post that cautioned users against interacting with the platform. According to the announcement, Blockaid and an independent auditor have reviewed the protocol since the attack.

Restitution updates

Gondi has already taken steps to repay impacted users, including reaching out to those who interacted with the vulnerable contract.

The team has also tracked down several stolen NFTs purchased by buyers who were seemingly unaware of the exploit to return them to their original owners. 

Further, Gondi has begun using protocol fees to purchase "comparable items" from 1/1-of-X collections to offset losses for affected users. "While not the exact same piece, we believe this is a fair and meaningful resolution and are coordinating directly with each owner," Gondi wrote. Similarly, the team is "in active discussions with the relevant parties" who lost one-of-one NFTs that could not be easily replaced.

The Block reached out to Gondi for comment.

Gondi is a decentralized, non-custodial NFT liquidity marketplace and lending protocol that allows users to post NFTs as collateral for loans, lend assets to earn interest on those loans, and refinance their NFT positions.

Source: https://www.theblock.co/post/392909/nft-platform-gondi-moves-users-whole-230000-contract-exploit